This repository has been archived by the owner on Sep 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 104
/
file.yml
71 lines (71 loc) · 2.56 KB
/
file.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: File
definition: A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)
collection_layers:
- Host
platforms:
- Windows
- Linux
- macOS
- Network
contributors:
- ATT&CK
- Center for Threat-Informed Defense (CTID)
data_components:
- name: File Metadata
type: information
description: "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc."
relationships:
- source_data_element: process
relationship: created
target_data_element: file stream
- source_data_element: process
relationship: retrieved information about
target_data_element: file
- source_data_element: user
relationship: retrieved information about
target_data_element: file
- name: File Creation
type: activity
description: "Initial construction of a new file (ex: Sysmon EID 11)"
relationships:
- source_data_element: process
relationship: created
target_data_element: file
- name: File Deletion
type: activity
description: "Removal of a file (ex: Sysmon EID 23)"
relationships:
- source_data_element: process
relationship: deleted
target_data_element: file
- source_data_element: user
relationship: deleted
target_data_element: file
- name: File Access
type: activity
description: "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)"
relationships:
- source_data_element: user
relationship: accessed
target_data_element: file
- source_data_element: process
relationship: accessed
target_data_element: file
- source_data_element: user
relationship: requested access to
target_data_element: file
- source_data_element: process
relationship: requested access to
target_data_element: file
- name: File Modification
type: activity
description: "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)"
relationships:
- source_data_element: process
relationship: modified
target_data_element: file
- source_data_element: user
relationship: modified
target_data_element: file
references:
- https://docs.microsoft.com/en-us/windows/win32/fileio/file-management